Cisco CP-8961 MIC certificates

Similar Messages

• Cisco Jabber for Windows Certificate Issues

  Hi,
  I have configured a Cisco Jabber with device security mode "Encrypted". Once I use this mode I am getting a error message in Cisco Jabber as:
  "The certificate enrollment for secure computer calling has not been activated. Contact your system administrator."
  The softphone feature is not working because of this.
  Do you have any fix for this issue?
  Thanks,
  VJ

  Hi Jonathan,
  I have one more issue with Cisco Jabber using authentication string. The authentication string works fine with the Jabber and softphone functionality is working.
  Now the problem is: if the single user has two Jabber clients, one installed on laptop and second on desktop, the authentication string window is presented to the jabber client which logs in first. For example is I login from my laptop the window pops up to enter the authentication string. But now when I open the Jabber on my desktop it doesn't give me option to enter the authentication string and the softphone doesn't work.
  Thanks,
  Vaijanath

• Cisco anyconnect 3.1 - Certificate Validation Failure.

  When i try to start a SSL VPN connection to the ASA(8.4) with anyconnect 3.1, Cisco anyconnect receives a message saying "No Valid Certificates Available for Authentication".
  Prior to the test;
       On the ASA, i have obtain CA certificate and its identity certificate. (Both certificates obtain from windows 2008 CA).
            * ASA identity certificate's have EKU attribute = Server Authentication,   Key Usage = Digital Signature, Key Encipherment.
       On the PC in which anyconnect installed, i have obtain User Certificate (this User certificate also obtain from the same windows 2008 CA)
            * Prior to obtaining User certificate from the windows2008 CA, ASA acts as a SCEP proxy onbehalf of the client PC.
            * User Certificate's has EKU attribute = Client Authentication.
  As in the ASDM Logs, it almost work.
  In days of troubleshooting, i still could not find the cause of this problem. Error message as appeared on anyconnect;
  Is there anyone could help.???
  Keshara from Sri Lanka.

  Just run into this as well. We have CRL checking turned on. Turned out to be the CRL server was down. But that was the same message I got when the client wouldn't connect. 

• Import cert in Cisco 7921 with error "certificate verification failed"

  Hi everyone
  I am trying to install a digit cert on a 7921 and I get the message on import of "certificate verification failed".
  I have tried a number of time, create CSR file then login to certificate web site and get file assigned then import it back to the phone. I used the DER format
  Many thx indeed,
  Roy

  Hi,
  Referencing: https://supportforums.cisco.com/thread/2095711
  Have you followed the steps outlined in page 72 of this guide?  This should be applicable to 792x.
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf
  Do you have any trace logs from the phone you can post after your attempt to import the cert?

• NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

  Hi everyone,
  Hoping someone can help please.
  We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
  We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
  What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
  then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
  Has anyone implemented this before and if so, are there any guides available please?
  Many Thanks,
  Dean.

  Hi Dean,
  Thanks for posting here.
  Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
  Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
  Checklist: Configure NPS for Dial-Up and VPN Access
  http://technet.microsoft.com/en-us/library/cc754114.aspx
  Thanks.
  Tiger Li
  Tiger Li
  TechNet Community Support

• Cisco ISE User Authentication Certificates for Wired and Wirless Users (BYOD)

  Can any one tell me from where we can purchase User Authentication Certificates for Wired and Wireless Users (BYOD) for Cisco ISE. Also Confirm what certificates we required for the purpose.
  Please suggest the Website form where we can purchase and ipmort in Cisco ISE certificate Section.
  Thanks.

  Dear Mohana,
  Thanks for your reply, Can you please confirm me in regards EAP-TLS certificate, which authorities you recomend if i go to Go dadday or very Sign to buy it and then import in ISE.
  Looking forward for your reply.
  Regards,
  Muhammad Imran Shaikh
  Resident Engineer, IT Network Section - PPL
  Mobile : 0092-312-288-1010
  LinkedIn : pk.linkedin.com/pub/muhammad-imran-shaikh/10/471/b47/

• Cisco NCS install signed certificate

  Hello!
  I have difficulties to install wildcard certificate(*.domain.com) into Cisco NCS Prime.
  admin#ncs key importkey key.pem cert.perm repository ftpRepo
  INFO: no staging url defined, using local space.        rval:2
  INFO: no staging url defined, using local space.        rval:2
  The WCS server is running
  Changes will take affect on the next server restart
  Importing RSA key and matching certificate
  Everything looks good! But after server restart I see old, self-signed certificate.
  Please help me with this issue.

  restore.log:
  Mon Mar  4 15:37:29 NOVT 2013: dowload of 2015_02_16.crt from repository ftpRepo: success.
  Mon Mar  4 15:37:29 NOVT 2013: dowload of 2015_02_16.key from repository ftpRepo: success.
  ADE.log:
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[125] [admin]: full url is ftp://10.54.111.20/2015_02_16.key
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:backup: br_backup.c[41] [admin]: flushing the staging area
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[385] [admin]: released backup lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[252] [admin]: running date
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[52] [admin]: created backup history lock file
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[76] [admin]: obtained backup history lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[160] [admin]: loaded history file /var/log/restore.log
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[90] [admin]: released backup history lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[310] [admin]: added record to history
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[371] [admin]: obtained backup lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: config:backup: br_stage.c[72] [admin]: staging config set to default settings
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:backup: br_backup.c[41] [admin]: flushing the staging area
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[371] [admin]: obtained repos-mgr lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: config:repository: rm_repos_cfg.c[173] [admin]: loaded repository ftpRepo
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[385] [admin]: released repos-mgr lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer.c[54] [admin]: ftp copy in of 2015_02_16.crt requested
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[92] [admin]: ftp get source - 2015_02_16.crt
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[93] [admin]: ftp get destination - /opt/CSCOncs/migrate/restore/2015_02_16.crt
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[112] [admin]: initializing curl
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[125] [admin]: full url is ftp://10.54.111.20/2015_02_16.crt
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:backup: br_backup.c[41] [admin]: flushing the staging area
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[385] [admin]: released backup lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[252] [admin]: running date
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[76] [admin]: obtained backup history lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[160] [admin]: loaded history file /var/log/restore.log
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[90] [admin]: released backup history lock
  Mar  4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[310] [admin]: added record to history
  keyadmin-0-1.log:
  03/01/13 16:00:14.962 INFO  [system] [main] Setting management interface address to 10.54.11.108
  03/01/13 16:00:14.968 INFO  [system] [main] Setting peer server interface address to 10.54.11.108
  03/01/13 16:00:14.968 INFO  [system] [main] Setting client interface address to 10.54.11.108
  03/01/13 16:00:14.968 INFO  [system] [main] Setting local host name to sib-ncs01
  03/01/13 16:00:17.647 INFO  [admin] [main] The WCS server is running
  03/01/13 16:00:17.647 INFO  [admin] [main] Changes will take affect on the next server restart
  03/01/13 16:00:17.647 INFO  [admin] [main] Importing RSA key and matching certificate
  Other logs dont show issues.

• Cisco ASA Backup Restore Certificates

  I have a Cisco ASA 5505 as a BOVPN endpoint using certificates. The config is complete and I now need to back it up and restore to a cold standby Cisco ASA 5505 that will sit on the shelf until something goes wrong.
  Problem is I cannot restore my certifcates to the standby.
  Can someone point me to a process please.
  I have tried the backup and restore wizard in ASDM and to be honest it didn't work.
  Please help.
  Thanks,

  Martin,
  Wouldn't it be simpler to put the two in failover for a few minutes (sync is done automatically on bulk sync).
  Otherwise I can suggest to export the certificate in PKCS12 (cert + RSA) from active unit and import it into the "standby".
  Active:
  ciscoasa(config)# crypto ca export TEST pkcs12 cisco123
  Standby:
  ciscoasa(config)# crypto ca import TESTBLA pkcs12 cisco123
  Marcin

• Certificate authentication for Cisco VPN client

  I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
  I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
  Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.                    

  Dear Doug ,
            What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
  With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
  1)  What is the AnyConnect Essentials License?
  The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers"  platform limit with AnyConnect.  Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device.  With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
  You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          :  Enabled
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Any connect VPN Configuration .
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

• EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.

  Hello,
  I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
  The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
  While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
  Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
  What was done:
  - set up freeradius with EAP-TLS configuration, trusting both cisco CA root  and manufacturing root.
  - freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
  - Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
  What I can see while running a wireshark trace on freeradius is:
       - both parties negotiate properly that they will engage in EAP-TLS.
       - they  start the TLS handshake
       - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
       - Client (phone) never sends its certificate (MIC) to the server.
       - Client restarts EAP-TLS negotiation and goes on and on.
  Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
  Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
  Phone firmware is 9.2(3) and callmanager 8.6
  Thanks
  Gustavo Novais

  Found the problem. Apparently ADU can't access certificate store if client is not part of the AD domain

• Cisco 5508 HA

  Hi all,
  We recently installed a pair of Cisco 5508 controllers running 7.6.110.0. Right now I don't want to use the 'Redundancy' / 'HA' features, preferring instead to run with an Active/Standby pair controller through the HA tab configured in all APs.
  As part of the upgrade to 7.6.110.0 we upgraded the secondary controller first, moved APs over one by one, then upgraded the primary. Right now I am having an issue moving the APs back to the primary. To confirm:
  - the mobility group is the same on both devices
  - mobility is up
  - I am allowing MIC certificates
  - AP fallback is enabled
  - device names, etc all match as I appreciate there can be issues as this is case sensitive
  As far as I was aware that was all that needed to match for this to work. One thing I have noticed however is that if I go into Redundancy -> Global Configuration both the Primary and Seconday are defined as the 'Primary' redundant unit. I've not activated, at least I thought I had not activated, this level of redundancy. Could this be what is causing it? I'm a bit wary of changing this value as I believe the controller will reboot.
  Can anybody shed any light on this. The intention was to eventually enable the redundancy and SSO, etc but not right now.
  Thanks

  Hi Leo, Scott
  So I was doing a bit more reading on this http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69639-wlc-failover.html it is an old document but working through it the document suggested that you didn't need to specify the IP address of the Primary or Secondary controller in the Wireless -> All AP -> AP_NAME -> High Availability. I removed this from one of the APs that was at the time serving no clients and tried to move it to the secondary and it worked. I then moved it back to the primary and it worked again.
  Any reason why this would happen? The IP addresses I was using were 100% correct. The only difference I see for this controller as opposed to others we manage is the introduction of new interface types i.e. 'redundancy management' , 'redundancy port' ,etc. I do not have redundancy enabled so I'm guessing not, but having trawled through the configuration this is the only difference I can see?

• Import certificate to E51

  Hi,
  I'm having a problem when trying to import certificates to my Nokia E51. When i downloaded the file from the web, my phone keep saying “File Corrupted”.
  I have tried using other web solution and also uploading files to my own web server and setting the MIME types. Both ways i get the same result.
  Anyone have any idea why its say corrupt?
  Thanks
  Billy

  Hello,
  It depends which type of certificat you would like to import.
  Anyway crypto ca import command is a good start.
  You can find 2 examples of certificates import here:
  http://www.fcug.fr/cisco-asa-importer-un-certificat-pkcs12 and http://www.fcug.fr/migrer-un-certificat-ssl-de-vpn3000-vers-asa
  Thanks

• Cisco ACS register to primary with different acs versions

  Hello, I've updated a backup unit of two acs to  version 5.4.0.46.0a first I changed it to standalone, and now I try to register to the main ACS which is running version 5.1.0.44.2
    And I get this error
  This System Failure occurred:  com.cisco.nm.acs.im.certificate.Certificate; local class incompatible: stream classdesc serialVersionUID = 8507982043664257993, local class serialVersionUID = 1927357986028617243. Your changes have not been saved.Click OK to return to the list page.
  What can I do to solve it?
  Kind regards

  The primary and secondary should be running on the same code.
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ISE in Apple Mac Environment

  Hi,
  One of our clients need to implement BYOD in their network. They are using Mac servers and clients. The requirement is to authenticate (wireless) users against the Mac directory server, in order to provide access to resources. I am trying to figure out whether Cisco ISE can perform LDAP authentication with Mac server. As per this document, Mac server is not a supported external identity source/LDAP server. Currently they are providing access to users by adding MAC addresses to WLC manually, which is not practical now due to increase in number of end devices, and limitation in MAC addresses supported by WLC (2048).
  Is it possible to implement this? Has anyone came across similar scenario?
  Thanks,
  John

  The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate credentials in user authentication functions, and to retrieve group information and other attributes that are associated with the user for use in authorization policies. You must configure the external identity source that contains your user information in Cisco ISE. External identity sources also include certificate information for the Cisco ISE server and certificate authentication profiles.
  Both internal and external identity sources can be used as the authentication source for sponsor authentication and also for authentication of remote guest users.
  Table 5-1 lists the identity sources and the protocols that they support.
  Table 5-1 Protocol Versus Database Support 
   Protocol (Authentication Type)
   Internal Database
   Active Directory
   LDAP1
   RADIUS Token Server or RSA
   EAP-GTC2 , PAP3 (plain text password)
   Yes
   Yes
   Yes
   Yes
   MS-CHAP4 password hash: MSCHAPv1/v25  EAP-MSCHAPv26  LEAP7
   Yes
   Yes
   No
   No
   EAP-MD58  CHAP9
   Yes
   No
   No
   No
   EAP-TLS10  PEAP-TLS11  (certificate retrieval) Note For TLS authentications (EAP-TLS and PEAP-TLS), identity sources are not required, but are optional and can be added for authorization policy conditions.
   No
   Yes
   Yes
   No
   1 LDAP = Lightweight Directory Access Protocol. 2 EAP-GTC = Extensible Authentication Protocol-Generic Token Card 3 PAP = Password Authentication Protocol 4 MS-CHAP = Microsoft Challenge Handshake Authentication Protocol 5 MS-CHAPv1/v2 = Microsoft Challenge Handshake Authentication Protocol Version 1/Version 2 6 EAP-MSCHAPv2 = Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol Version 2 7 LEAP = Lightweight Extensible Authentication Protocol 8 EAP-MD5 = Extensible Authentication Protocol-Message Digest 5 9 CHAP = Challenge-Handshake Authentication Protocol 10 EAP-TLS = Extensible Authentication Protocol-Transport Layer Security 11 PEAP-TLS = Protected Extensible Authentication Protocol-Transport Layer Security
  and for the WLC Check the Link : www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo

• Importing Cisco VPN information into Finder VPN

  Hello,
  I have recently upgraded to OSX Lion and the Cisco VPN Client used by my university no longer works. They suggest another client (Shrew Soft), which also doesn't work. What I'd like to be able to do is use the VPN configuration information provided by my institute with the Finder's own VPN capability, bypassing the need for a buggy client programm.
  I've already read this thread, however it hasn't helped:
  https://discussions.apple.com/thread/2274119?start=0&tstart=0
  My problem seems to be that I need TWO files to configure Cisco correctly, a root certificate (which appears to be in .pem format) and a .pcf file. If I follow the "standard procedure" for importing the .pcf details -- that is, without using the root certificate somehow -- I get the message "The VPN server did not respond. Verify the server address and try reconnecting." Clearly I need somehow to be using BOTH files in order to establish a connection.
  I have messed around with adding the root certificate to my System keychain, but the Finder doesn't display it when I go to "authentification settings". Instead I have only two certificates with "apple" in the name.
  Even if I could add the root certificate successfully, this would surely be fruitless, as I would then no longer be using the shared secret.
  SO, my query is: How can I combine both of these files into a single certificate that I can then add to my keychain and use for machine identification? Please bear in mind that I am not a computer specialist and am not au fait with Open SSL, and so forth. I'm prepared to grapple with it if it's the only way to get my VPN working again, but I will really need a very clear explanation of each step!
  Many thanks in advance!

  No ideas?